Implement WPA2 Enterprise Encryption on Your WLAN
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
Implementing WPA2 Enterprise
encryption with 802.1X authentication provides the best Wi-Fi
security for businesses. However, as you may know, it isn't easy to
setup and support. Nevertheless, you shouldn't let this stop you.
The Personal or Pre-Shared Key (PSK ) mode of WPA2 doesn't provide
adequate security for businesses. Encryption keys are more
vulnerable to cracking, static encryption keys are a problem when
devices are lost or stolen, and employees can snoop on others or
even hand out the encryption key to outsiders.
The Enterprise mode of WPA2 gives you dynamic encryption keys
distributed securely after a user logins with their username and
password or provides a valid digital certificate. Users never see
the actual encryption keys and they aren't stored on the device.
This protects you against rogue or terminated employees and lost or
stolen devices. The list of reasons to use Enterprise mode goes on.
In this article, I'll discuss the issues related to deploying and
using 802.1X. Best of all, I'll share some tips that can help you
overcome them. Let's get started!
Expertise, time, and cost to set up a RADIUS server
Your first concern might be the
expertise, time and cost involved in setting up the RADIUS server,
required for the 802.1X authentication. This is especially true for
smaller businesses that don't have a big IT staff or budget, or any
at all. However, there are RADIUS servers that are user-friendly,
fairly easy to setup, and won't break the bank. The Elektron RADIUS
Server runs at $750, the ClearBox Enterprise RADIUS Server $599, and
the TekRADIUS Server is free. Another free option is the open source
FreeRADIUS server, great for experienced IT administrators.
You don't even have to setup your own server if you use a hosted
RADIUS service. This is great for smaller businesses, or those that
don't want to dedicate the time or money to setting up and maintain
a server. Plus it doesn't require any real advanced technical
Configuring computers and devices
As you may know, you can't just
connect to an Enterprise-protected wireless network like you do with
the Personal or PSK mode. The 802.1X authentication settings must be
preconfigured in Windows, either by you or the end-user. This is
complicated even more if end users bring their own laptops or mobile
If you run a domain with Active Directory on a Windows Server, you
may be able to push client settings to some end-users with GPO. The
Netsh command-line tool can also help, even without a Domain
Keep in mind, there are third-party solutions you can use to create
a wizard to help automate the client configuration process. The SU1X
802.1X Configuration Deployment Tool is a free and open source
solution. Xpressconnect and Quick1X are commercial options. Once you
create a configuration wizard, you might even look into creating a
separate setup SSID with a captive portal that's unencrypted just so
users can download the wizard, which would then configure and
connect them to the Enterprise-protected SSID.
There are also solutions to help configure mobile phones. Apple, for
example, offers the iPhone Configuration Utility (iPCU) to push
802.1X and other settings to iPhones, iPod Touches, and iPads.
Creating and maintaining a PKI for digital certificates
If you're setting up your RADIUS
server, another concern you might have is creating and maintaining a
Public Key Infrastructure (PKI ) and certificate authority (CA) for
issuing the digital certificates required by the 802.1X
authentication. However keep in mind, if you use the PEAP protocol
for 802.1X only one digital certificate is required for the RADIUS
server, rather than the server and all the clients with the EAP-TLS
Remember, if you use a hosted RADIUS/802.1X service, you don't have
to worry about this at all.
To get the digital certificate for the RADIUS server you can create
your own CA, which most RADIUS servers help you with. Then a client
configuration wizard like the three I mentioned can help install the
CA certificate to the computers and devices.
If you don't want to install the CA certificate on all the
computers, you can pay to get a digital certificate signed by a
public CA, like VeriSign or GoDaddy. Most RADIUS servers can also
help you create a signing request to submit to the public CA in
order to get the signed certificate for the RADIUS server. GoDaddy
charges as little as $50 for a SSL certificate.
WPA2 Enterprise is also vulnerable to
some attacks. For example, someone could setup an AP with the same
SSID and a modified RADIUS server in hopes of capturing and cracking
the login credentials. However, you can help prevent this type of
attack from being successful by ensuring you specify three optional
settings in Windows, on the PEAP or Smart Card/Certificate window:
Check the Validate server
certificate option and select the Trusted Root Certificate
Authority from the list.
Check the Connect to these servers
option and input the domain name or IP address of the RADIUS
Check Do not prompt user to
authorize new servers or trusted certificate authorities.
Similar settings exist for most other operating systems and
Also remember that you can apply these
settings with a client configuration wizard like I mentioned